Firewall with Lan to Lan, with a twist!!

Home Page Forums Network Management Networking Firewall with Lan to Lan, with a twist!!

This topic contains 0 replies, has 0 voices, and was last updated by  Thomas_Powers 9 years, 2 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #42071

    Hello All….

    Here’s what we’re doing this time.

    We will have 2 ZS boxes, call them ZS1 and ZS2, each with ETH00 as internal (lan) side and eth01 as the outside.

    ZS1 will have a VPN to ZS2 for lan to lan connectivity. That’s easy, and we have that running.

    The catch is on ZS2. It will be replacing a firewall with 2 outside IP addresses. One of the address will be for the VPN to connect to. The other address on the ouside of ZS2 will be used to take smtp, HTTPS, and 3389 traffic to forward into an internal server. We would like people to be able to NAT out to the internet and use the 2nd address on this device.

    The firewall in ZS is complete greek to a Windows junkie and a self expressed Linux Noob. (No offense to the actual greek members in the forum…love the gyros!)

    So…how does one configure the static entries on the outside addresses to react differently?

    To be more exact…let’s say that the outside addresses of ZS2 will be 66.1.1.1 and 66.1.1.2 We’ll have the VPN from ZS1 to connect to 66.1.1.1 and we would like inbound SMTP, inbound https, inbound 3389 to respond on the 66.1.1.2 address and be forwarded to an internal lan ip of lets say 192.168.1.250. Plus…how does one direct internal traffic from users to go out (NAT) and use the 66.1.1.2 address?

    Here’s the interesting part….how does one prevent the 66.1.1.2 address HTTPS from interfering with the remote https administration that I would like to have respond on 66.1.1.1

    That about sums it up.

    Thanks for everyone’s help

    Tom P

    #49187

    ppalias
    Member

    It is not that hard. If you have static IPs on the 2 ZS it is more easy. On the 66.1.1.1 interface of ZS2 add only one static route for the ZS1 WAN interface. On the 66.1.1.2 interface assign the default gateway. On the virtual servers section add the ports to be forwarded on the 66.1.1.2 only! NAT only on the 66.1.1.2 interface, the other one works with the tunnel. Regarding the http administration you may block the interfaces that you don’t want to listen to. There is the https menu on the administration page.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.